In distributed environments, such as network systems, client workstations typically transmit data to and receive data from a server over an unsecured network. The network typically routes a data packet from a client workstation to the server based on identifying information contained in the header of the data packet.
For example, on the Internet, data is typically transmitted using transmission control protocol (TCP) or user datagram protocol (UDP) on top of Internet protocol (IP). In these protocols, the IP destination address is a series of four 8-bit numbers defining a particular destination.
In typical scenarios, the server may be the front end of a company's internal network that connects client workstations to company resources, such as private databases of information, secured systems and various company programs. Adversaries of a company, or hackers, may attempt to infiltrate the company's internal network using packet “sniffers.” A sniffer is a mechanism that captures all traffic transmitted to/from the server. The adversary may use the information obtained by a sniffer to “map” the company's network. For example, the adversary may identify the network topology of the company's network by observing the addresses and ports being used in data packets transmitted to/from the server. The adversary may then try to use this network topology information to access confidential information or maliciously attack the company's network.
Firewalls requiring passwords/IDs and other security features have been employed to lessen the risks of these types of attacks. Such mechanisms, however, often cannot prevent network discovery by sophisticated adversaries.
Therefore, a need exists for systems and methods that prevent unauthorized network discovery.